Digging Into WannaCry Details: Answers to Your Burning Questions

The WannaCry ransomware attack spread so quickly and has been so disruptive that IT departments can’t get enough information about what caused it, how it can be remediated and what can be done to protect their organizations from similar threats. This thirst for insights, explanations and best practices was evident during the Q&A portion of our recent webcast “How to Rapidly Identify Assets at Risk to WannaCry Ransomware.”

Below is a transcript of 20 questions asked by participants, and the answers provided by security expert and Qualys Product Management Director Jimmy Graham.

1. There were a number of C2 IP addresses and domains identified with the WannaCry ransomware, others in the kill switch domain. Do you suggest blocking these at the org perimeter while leaving the kill switch domains accessible?

I would recommend making sure that you have good intelligence before blocking anything because of these kill switch domains. I’ve seen some information out there where people have recommended blocking. Obviously, that’s not something you want to do with the kill switch domain.

For the C2 IP addresses, they’re using Tor for a lot of this C2 traffic. You could try to block the Tor exit nodes or the Tor nodes that you use to connect into the Tor network, but that’s probably very difficult to do. Those are changing all the time. If you’re able to block them, that may prevent some amount of the spread, but Tor is very good at getting out of your network. If they’ve implemented it properly, they could even tunnel through your proxy.

Really, you want to focus on patching for this because there’s lots of other C2 channels that people could bake into this malware in future versions of the malware. Some of those things may be a stop-gap, but any of that would be a very temporary measure.

2. As SMB has two components, server and client, which components should we disable on the computers and how?

For this specific piece of malware, it’s leveraging the server SMB. Where Microsoft recommends to disable SMBv1, you want to disable the server. You should probably also be disabling on the client. There are exploits, man-in-the-middle exploits, other things that were released as part of Shadow Brokers. It’s something that you want to disable on both sides.

3. What if the Twitter user @malwaretech had not registered the domain name? What other exploits could be developed from the Vault 7 dump?

The Twitter user who registered that domain name, that domain name was only specific to one variant of the malware. Other variants use different kill switch domains, some of the variants don’t have a kill switch. Some variants even use the opposite on the same kill switch domains. They look for the domain to be up, and they’re active only if the domain is up.

Really, the impact that he had was only on that one initial outbreak. There’s still other types of malware and other variants of WannaCry definitely still leveraging these same vulnerabilities. A kill switch domain is no longer a factor.

4. Can the vulnerability be detected with non-authenticated scans?

Yes. We can detect with 91345. That specific detection does have a remote check.

5. Can we push updates through Qualys agents via dashboard?

That will be part of our patching platform. Our patching platform will have the capability of pushing updates and will leverage existing technologies like AssetView for you to search and narrow down which machines you want to target for the patching, but that will be part of our patching platform.

6. In cases like this, do you derive signatures and rules in-house, or do your analysts get them from the research community?

We write our own signatures for these vulnerability detections. We also work within the research community. We use open source information, we have partners that we work with, but we do write them ourselves. We have a malware research team that researches malware specifically. That’s why we have some malware checks for large events like this, like WannaCry. In general, we’re writing our own signatures for the vulnerability detections.

7. When is the patching going to be available and for what platforms?

For patching, we plan to support the standard platforms. Obviously, the initial focus will most likely be Windows. Patch management, we do have a product manager for patch management. I am not that product manager, but it is something that we’re trying to roll out as soon as we can in terms of an official release date. We don’t have an official release date, but it’s something that we’re actively working on right now.

For the vulnerability prediction piece, that is part of ThreatPROTECT. It is something that we’re, again, also working on actively. That prediction engine will basically take data that we already have on your assets and try to predict which vulnerabilities you have because, in a lot of cases, especially in zero-day situations, we already know which operating systems you have in your environment.

We’ll add that to the ThreatPROTECT live feed and we’ll add that to the dashboards as well, but we’ll be able to say, “Okay, we haven’t detected this vulnerability with a scan because you haven’t had a scan yet, but we have pulled enough inventory information about your assets to know that you probably should be looking at this vulnerability.” That way you get some advanced notice before your scan even runs.

8. Please define agent. Are you referring to typical endpoint protection software or a different piece of software that has a job of pinging back to central dashboard with info on its status?

We offer a Qualys Cloud Agent. It has the same vulnerability QIDs and vulnerability detections, it’s just embedded into an agent. Like I said, we do that to give more real-time access to the data so you’re not waiting on scan schedules. Also, we’ll follow the asset around because it is an agent on the system. For mobile assets, for laptops, that’s something you can just load onto the system and you can get constant visibility into those systems and their patch level.

It is software that runs on it. It’s very lightweight application. The intelligence is in the Cloud Platform, not in the agent. The agent’s just collecting data. That makes it have a very lightweight footprint on the endpoint.

9. If we installed the patch for MS17-010 and we did not restart them, would Qualys still pick them up as vulnerable in a scan?

Yes, it should. With patches that require reboot, the replacement of the DLL happens after the reboot, during that reboot process. We are actually checking the version of the DLL. That will tell us, “Okay, the system is vulnerable.”

The reason why it’s good to call out not rebooted systems in a widget like that, if you can say, “I have this many vulnerability detections,” and it might be because that correlates very highly to my systems that have not been rebooted. You can get a feel for where you are in your patching process.

10. How does non-authenticated scanning at QID 91345 work? What does it test for?

We connect to the IPC share and we send a very specific SMB request and look for an error. If we see that error, then we know it’s a vulnerable system. If somebody needs more details on that, feel free to email me and I can get you the exact things that we’re running to check that.

11. Have you seen WannaCry leveraging SMB on Linux to propagate?

I’ve not heard reports of that, of WannaCry leveraging it on Linux. Theoretically, some of these exploits are in SMBv1 and can be exploited. I haven’t seen that happen. It’s something that if you are running Samba, you want to make sure that you’re running later versions of Samba on those systems because they still may have a vulnerability.

12. If systems are already infected, how can they be cleaned?

It’s very difficult to clean a system. Whenever you have a malware infection like this, you never know what else has been dropped. Specifically for WannaCry, it was very focused on the ransomware aspect. With all the variants that are out there, in these types of cases where you have an infection and you’re not able to get detailed knowledge of what exactly has happened on your system, for one, your files are probably encrypted, so you have to restore those from backup.

I recommend wiping the system, starting with a new image and rebuilding the system because it’s very difficult to clean up malware. Malware is very good at hiding. It’s not something that I’d recommend just trying to clean.

Obviously, that can be a lot for a site that’s had a large scale infection, but, again, in order to really be sure that you’re no longer impacted, I think it’s important to start with a new image and rebuild that system. Outside of that, there are guides online for how to remove the malware, but that’s something that you’d have to get from an online resource.

13. What do we do if the ransomware is in one of our file shares? How do we stop it from spreading?

If the ransomware has actually infected a system, it’s most likely already propagated to all of your other systems. If it’s just a piece of malware sitting on a file share, that’s not necessarily active. That’s something you’d want to clean up right away and remove.

In terms of just immediately stopping spread, you can disable SMB completely. You can disable SMBv1 as a workaround, start rolling out patches, but because of the way this spreads, it’s very difficult to stop. By the time you’ve implemented any measures to slow the spread, it’s probably too late. It’s probably infected as many as it’s going to infect.

14. Can Qualys scanners identify vulnerabilities in basic scans, or does it need authenticated scans to identify MS17-010 vulnerabilities?

Yes, we do offer remote check, and we offer remote checks for a lot of vulnerabilities. Obviously, authenticated scanning is always better because you can get some deeper visibility into that asset to know what you’re missing, but from an outside perspective, if there’s a service listening on a port, many, many times we can identify a vulnerability just by hitting those outside ports. There is value in unauthenticated scanning, but we do recommend authenticated scanning or using the Qualys cloud agent to get that detailed view.

15. In terms of the variant WannaCry that’s may be morphing now, what can we do to catch the morphing WannaCry vulnerability?

That’s difficult to predict because there’s the WannaCry malware that was initially released. There were variants based on that. There’s now completely separate ransomware that’s using the same vulnerability, and the vulnerability itself is not changing. The method that they’re using is not changing, so you want to definitely patch these systems so they can’t spread. That way, if there is a new variant leveraging the same exploit, you’re protected from anything trying to use this specific vulnerability and this specific exploit.

16. How can you tell if the Windows patch was installed? What are the indicators you use to identify the existence of MS17-010? People are saying that they’ve not found the indicators from Microsoft, and they’re wondering if we have other information on that.

There’s a couple of things you can check. There’s some registry information regarding installed patches. There’s DLL versions. Obviously, this is something that we automate with our scanners and agent, but if you look at the MS17-010 package contents, which Microsoft does publish, you could look at those newer versions which DLLs are dropped and what versions they are, and then try to manually look for those DLLs on your system.

That’s a fairly time-consuming process. Some of it could be scripted, but Microsoft does publish at least what the new versions are. You should be able to look for anything lower than those versions, but I wouldn’t recommend that. It’s very difficult to scale process, very manual.

17. If Windows XP or Server 2003 systems receive the MS17-010 patch, are the systems no longer vulnerable to WannaCry or are they still vulnerable?

For the XP and 2003 systems and Windows 8 that they released the end-of-life patch for, it’s not really MS17-010; it’s another knowledge base article number, it’s in the slides, but those should be no longer vulnerable. In order to install those, another thing to note is that they do have to be on the latest service pack. They need to be on XP Service Pack 3 or Server 2003 Service Pack 2 in order to install those. Once you install [the additional patches], those systems are no longer vulnerable.

That said, there are a lot of vulnerabilities still in those platforms. Those are not platforms that you want to keep in your environment. You should be actively trying to replace and evergreen those systems.

18. Does ThreatPROTECT view, detect, and recommend patches for only Microsoft products or other applications and operating systems as well?

Yes. All of AssetView and ThreatPROTECT is based on our vulnerability signatures that we write. That includes Microsoft Windows, that includes Linux and UNIX systems. We support a wide, wide variety of platforms, operating systems, databases, software. Some of that requires that you use the agent or authenticated scanning to get that deep view into software, but we’ll tell you if you have a vulnerability in Adobe Flash or Java or anything like that.

19. How do you see the challenge of less than 30 days as a cycle time? Because the changes need deployment, regression testing, and buffer time for any code, or the system breaks.

It’s important, definitely, to test, and to perform regression testing. The most important thing here is scanning every 30 days is definitely not enough. This is why we really push an agent model. The quicker that you can quickly identify a vulnerable asset, then the quicker you can respond to it, to know that it needs to be patched.

In addition, you should have a patch management process that is outside of your vulnerability management process, so your system owners are aware that new patches are available and can be deployed to remediate these vulnerabilities so they can be triaged and prioritized appropriately and deployed.

I recommend rolling updates to where as soon as Microsoft releases patches on their monthly cycle, you should deploy those directly to some test systems. That’s something you should immediately begin testing, and work toward a gradual, staged rollout to the rest of your environment, including production, because there is risk to deploying security patches.

I think it’s shown to be minimal as of late. Microsoft does test these, and they’re fairly well-tested. It doesn’t mean there’s never a problem with the security patch, but with the proper rollout, you should be able to get that time frame down to one week or two weeks for these types of systems, because the risk of being exploited is becoming much higher than the risk of operational impact from the patch itself.

20. Is it possible to create widgets to see how many have been fixed and patched for MS17-010?

Yes, absolutely. You can create a widget that, for systems, you can say, “I want to see these operating systems that don’t have this QID detected,” and that will give you a good count of your systems that have been patched.

Related

One response to “Digging Into WannaCry Details: Answers to Your Burning Questions”

Great article, I was just wondering what exactly the patch changes. For instance if I install the patch and then uninstall the patch, what did that installation affect? What didnt get rolled back when I did the uninstall? I have an issue where an application wont function correctly after installing and uninstalling the patch. So this leads me to believe that something didnt change back when the patch was uninstalled.